Collaborative Threat Mitigation or (Collective Self Defense) DOE’s Cyber Fed Model (CFM) Sco5 Pinkerton [email protected] www.anl.gov/it/cfm
Jan 27, 2015
Collaborative Threat Mitigation or
(Collective Self Defense) DOE’s Cyber Fed Model (CFM) Sco5 Pinkerton [email protected]
www.anl.gov/it/cfm
Agenda
§ What is DOE’s Cyber Fed Model
§ SubscripHon vs. parHcipaHon § Relevance & ROI § Why are we here ? § Conclusions & Takeaways § QuesHons
2 Tech for Security Summit
Cyber Fed Model (CFM) is …
§ A near real-‐Hme exchange of cyber threat informaHon focused on the reduc&on and mi&ga&on of cyber security risk across large enterprises
– Typically every 300 second – AcHonable – blocking – Autonomic – Highly Scalable
3 Tech for Security Summit
Structured Threat Information
§ InformaHon shared uses an XML syntax
– Based upon IODEF (RFC 5070)
– Looking to support OpenIOC formats in the future for sharing malware informaHon
§ InformaHon focuses on IP, DNS, URL, e-‐mail, hash strings
4 Tech for Security Summit
How Cyber Fed Model (CFM) Works
§ High Level: Client-‐server data exchange § Reality: Central repositories providing access via web service
– Sites control who can see the data they upload (by PGP key) – Sites decide how to use data they download
§ Repository accepts encrypted files on upload – Contents may be any format – Simply export from a third party tool, encrypt, and upload
§ Output comes in standardized XML format – Allows for predictability – Converters can translate to another format – Scripts can convert and send to other tools inline
Tech for Security Summit 5
High Level Architecture
Tech for Security Summit 6
Cyber Fed Model (CFM) maximizes local resources § Premise based on the idea
of local detecHon and global response
§ Enables an enterprise to focus their limited resources on their most pressing problems
– A5acks that are occurring on their infrastructure and no where else
7 Tech for Security Summit
Effective Cyber Security Defense for an Enterprise
§ It conHnues to be a hard job § Doubly so for those supporHng criHcal infrastructure
§ Doesn’t appear to be gefng any easier; mostly harder § Increasing skill & sophisHcaHon of the bad guys; commodity
hacking tools
Tech for Security Summit 8
DOE’s Cyber Fed Model is not …
§ OpHmized for analysis (the transfer of “raw” data)
§ Focused on OS or ApplicaHon advisories (vulnerabiliHes)
§ Sandboxing or other
§ Shared alerts require someone to first detect the threat
Tech for Security Summit 9
Subscription vs. Active Participation § Can you just subscribe to a “feed” of hosHle IP addresses and
just download them ? – Sure, there are a growing number of “reputaHonal” subscripHon services
– But will they be RELEVANT to you – assuming none of the energy owner/operators are contributors
10 Tech for Security Summit
IP’s exploiting MS problem dujour
IP’s exploiting Adobe problem dujour
IP’s sending spam e-mail farming for username/PW
IP’s sending spam e-mail farming for bank account
IP’s probing for ssh servers
IP’s looking to attack the Energy Infra.
Volume of Information
Tech for Security Summit 11
Benefit: Relevance & ROI
Tech for Security Summit 12
We know collaboration is hard
§ Every organizaHon is a snow flake – B2B/collaboraHons vary – Blocking the wrong thing can be highly disrupHve
§ Legal agreements are tricky – DefiniHons of terms can vary
• What does MOU mean to you? ISA? ToS? etc.
§ A5ribuHon and disclosure concerns
§ A5ack vectors change
Tech for Security Summit 13
Why are we here ?
§ We believe ... – Cyber threats to criHcal infrastructure exist – CollaboraHon and collecHve defense are essenHal – DOE Cyber Fed Model (CFM) can be part of the soluHon
§ We want to ... – Help protect our country’s criHcal infrastructure – Begin a pilot to assess efficacy in electric sector – See threat overlap between electric sector and DOE
§ We have ... – DOE labs willing to share – public-‐private sector partnership – Electric sector enHHes which have expressed interest – Experience in collecHve defense
Tech for Security Summit 14
Conclusions & Takeaways
§ Common adversaries exist and are acHve
§ CollaboraHon will be key to future cyber defense
§ The DOE Cyber Fed Model (CFM) provides collecHve defense in a flexible, site-‐controlled manner
§ CFM can help maximize your cyber security resources
15 Tech for Security Summit
Questions ??
Tech for Security Summit
www.anl.gov/it/cfm